| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <YBF2/qHqa7+s9+5d@hovoldconsulting.com>
Date: Wed, 27 Jan 2021 15:21:50 +0100
From: Johan Hovold <johan@...nel.org>
To: Anant Thazhemadam <anant.thazhemadam@...il.com>
Cc: Greg Kroah-Hartman <gregkh@...uxfoundation.org>,
linux-usb@...r.kernel.org, linux-kernel@...r.kernel.org
Subject: Re: [PATCH v3 03/12] usb: misc: cytherm: update to use
usb_control_msg_recv()
On Wed, Jan 27, 2021 at 12:03:54AM +0530, Anant Thazhemadam wrote:
> The newer usb_control_msg_{send|recv}() API are an improvement on the
> existing usb_control_msg() as it ensures that a short read/write is treated
> as an error, data can be used off the stack, and raw usb pipes need not be
> created in the calling functions.
> For this reason, the instance of usb_control_msg() has been replaced with
> usb_control_msg_recv().
>
> The return value checking enforced by callers of the updated function have
> also been appropriately updated.
>
> Signed-off-by: Anant Thazhemadam <anant.thazhemadam@...il.com>
> ---
> drivers/usb/misc/cytherm.c | 128 +++++++++++++------------------------
> 1 file changed, 43 insertions(+), 85 deletions(-)
>
> diff --git a/drivers/usb/misc/cytherm.c b/drivers/usb/misc/cytherm.c
> index 3e3802aaefa3..2ca36ea5b76a 100644
> --- a/drivers/usb/misc/cytherm.c
> +++ b/drivers/usb/misc/cytherm.c
> @@ -51,12 +51,12 @@ static int vendor_command(struct usb_device *dev, unsigned char request,
> unsigned char value, unsigned char index,
> void *buf, int size)
> {
> - return usb_control_msg(dev, usb_rcvctrlpipe(dev, 0),
> - request,
> - USB_DIR_IN | USB_TYPE_VENDOR | USB_RECIP_OTHER,
> - value,
> - index, buf, size,
> - USB_CTRL_GET_TIMEOUT);
> + return usb_control_msg_recv(dev, 0,
> + request,
> + USB_DIR_IN | USB_TYPE_VENDOR | USB_RECIP_OTHER,
> + value,
> + index, buf, size,
> + USB_CTRL_GET_TIMEOUT, GFP_KERNEL);
> }
>
>
> @@ -78,33 +78,27 @@ static ssize_t brightness_store(struct device *dev, struct device_attribute *att
> struct usb_interface *intf = to_usb_interface(dev);
> struct usb_cytherm *cytherm = usb_get_intfdata(intf);
>
> - unsigned char *buffer;
> + unsigned char buffer[8];
> int retval;
> -
> - buffer = kmalloc(8, GFP_KERNEL);
> - if (!buffer)
> - return 0;
>
> cytherm->brightness = simple_strtoul(buf, NULL, 10);
> -
> +
> if (cytherm->brightness > 0xFF)
> cytherm->brightness = 0xFF;
> else if (cytherm->brightness < 0)
> cytherm->brightness = 0;
> -
> +
> /* Set brightness */
> retval = vendor_command(cytherm->udev, WRITE_RAM, BRIGHTNESS,
> - cytherm->brightness, buffer, 8);
> - if (retval)
> - dev_dbg(&cytherm->udev->dev, "retval = %d\n", retval);
> + cytherm->brightness, &buffer, 8);
> + if (!retval)
> + dev_dbg(&cytherm->udev->dev, "brightness set correctly\n");
> /* Inform µC that we have changed the brightness setting */
> retval = vendor_command(cytherm->udev, WRITE_RAM, BRIGHTNESS_SEM,
> - 0x01, buffer, 8);
> - if (retval)
> - dev_dbg(&cytherm->udev->dev, "retval = %d\n", retval);
> -
> - kfree(buffer);
> -
> + 0x01, &buffer, 8);
> + if (!retval)
> + dev_dbg(&cytherm->udev->dev, "µC informed of change in brightness setting\n");
> +
> return count;
> }
This driver looks like it could have the same origin as the one touched
by the previous patch, and likewise this patch suffers from a similar
problem in that the driver always provides an 8-byte buffer but appears
to expect short reads (which would no be treated as errors).
You could consider adding the missing short read sanity checks, but
I'm afraid the new helpers are not a good fit here either.
Johan
Powered by blists - more mailing lists